New WP29 Opinion on the application of EU data protection law to non-EU businesses

The EU's Article 29 Working Party has published an Opinion that seeks to clarify the application of EU data protection law in relation to businesses based outside the EU.

The EU's Article 29 Working Party (the 'WP29') is an EU advisory body made up of representatives of the national Data Protection Authorities of the EU Member States. It has recently published an Opinion on the application of EU data protection law to businesses based outside the EU. The question of whether EU data protection law applies to a business is of critical importance to ensuring that that business can identify and satisfy its compliance obligations. The new Opinion amends the WP29's previous views in light of the 2014 CJEU decision in Costeja (Case C‑131/12). Although the Opinion is dated 16 December 2015, it was only released to the public in January 2016.

What did the WP29's previous guidance say?

In 2010, the WP29 issued Opinion 8/2010, in which it examined the question of how EU data protection law under Directive 95/46/EC (the 'Directive') applies to businesses, both within and outside the EU. It stated that EU data protection law applies whenever personal data are processed 'in the context of the activities of an establishment' of a data controller in the EU.

An obvious example of an ‘establishment' is a business that is based in the EU and processes the personal data of EU residents. But in the case of businesses that are based outside the EU, the issue is less clear. In its 2010 Opinion, the WP29 had suggested that the concept of ‘establishment' should be interpreted broadly, and that the key question was whether a business was engaged in 'real and effective activity through stable arrangements' in one or more EU Member States. If so, then that business was likely established in those Member States.

What did the CJEU say?

Four years later, the question of whether EU data protection law applies to a business based outside the EU came before the Court of Justice of the EU (the 'CJEU') in the case of Costeja. In that case, the CJEU held that there was an 'inextricable link' between services provided by a US parent company to individual users in the EU, and advertising revenue collected by a subsidiary established in Spain. Consequently, the US parent company was held to be processing personal data of those individual users 'in the context of' that Spanish establishment, and was therefore subject to EU data protection law in respect of that processing. This decision clearly has the potential to significantly increase the number of businesses located outside the EU that are nevertheless required to comply with EU data protection law.

What does the WP29's revised Opinion say?

The WP29 has taken more than 18 months to produce its revised 2015 Opinion in response to the CJEU's decision in Costeja. In that revised Opinion, the WP29 is careful not to apply the ‘inextricable link' test too broadly, emphasising the importance of a case-by-case analysis. An ‘inextricable link' will not arise for every non-EU entity that has operations in the EU. The mere fact that two entities are part of the same corporate group is not sufficient to establish such a link – there must be an actual connection between the business activities performed by a subsidiary established in the EU and the data processing carried out by the non-EU entity.

Which businesses are affected?

Following Costeja and the WP29's 2015 Opinion with its revised interpretation of the ‘inextricable link' test, many non-EU businesses that have operations in the EU could potentially find themselves subject to EU data protection law. For example, assume that an online business is headquartered in the US and has several subsidiaries in the EU. All online user accounts are managed by the US parent company, and users contract directly with that US parent company, under terms and conditions that are governed by, for example, the laws of the State of New York. The business's EU subsidiaries do not manage user accounts or make decisions about the processing of users' personal data. However, they do perform, say, a sales function, from which they collect revenue. These subsidiaries are established in the EU, and are enabling the US parent company to do business in the EU. On these facts, there is a significant risk that EU Data Protection Authorities may take the view that an ‘inextricable link' exists between the data processing activities carried out by the US parent company, and the economic activities of its EU subsidiaries, and may therefore conclude that such processing takes place 'in the context of' those EU establishments. In that scenario, EU Data Protection Authorities are likely to consider that the US parent company is subject to the requirements of EU data protection law.

What does the forthcoming General Data Protection Regulation say?

In reality, the impact of the WP29's guidance will be short-lived, because the General Data Protection Regulation (the 'GDPR'), which is likely to take effect in 2018, will redefine the rules regarding the application of EU data protection law to non-EU businesses – making the test even broader than it already is. Under the GDPR, any business that is based outside the EU, but either: (i) offers goods or services to EU residents; or (ii) monitors the behaviour of EU residents, will be subject to the requirements of EU data protection law.

The clear trend in these developments is toward the increasingly strong extraterritorial application of EU data protection law. Businesses based outside the EU, but doing business in the EU, should take note of the fact that the law is moving in this direction, and carefully consider whether EU data protection law is likely to apply to them.